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ABSTRACT 



Participants in a cryptosystem select their own elliptic curve 
and finite field, rather than using a centrally chosen elliptic 
curve. The curve is chosen from a predetermined set of 
elliptic curves expressed as Weierstrafi model equations. 
The public key is based on a participant's unique ID, which 
must be exchanged during communication setup for non- 
cryptographic reasons, and a randomly chosen bitstring 
having a length based on security considerations. The public 
key can be readily constructed from parameters and map- 
ping functions which are known system -wide and from a 
small amount of participant dependent data. 

17 Claims, 12 Drawing Sheets 
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CRYPTOSYSTEMS WITH ELLIPTIC 
CURVES CHOSEN BY USERS 

BACKGROUND OF THE INVENTION 

The present invention relates to cryptographic systems, 
and, more particularly, is directed to elliptic curve crypto- 
systems in which participants pick their own elliptic curves 
rather than using a centrally chosen elliptic curve. 

In a conventional elliptic curve cryptosystem, as shown in 
FIG. 1, a central facility selects a finite field, an elliptic 
curve, a generator of an appropriate subgroup of the group 
of points of the elliptic curve over the finite field, and the 
order of that generator. The central facility distributes these 
data among the participants in the cryptographic system. 
Each participant then selects a secret key, computes a 
corresponding public key, and may optionally obtain certi- 
fication for its public key. The objective of the certificate is 
to make one party's public key available to other parties in 
such a way that those other parties can independently verify 
that the public key is valid and authentic. An advantage of 
the conventional system is that, while a lot of computation 
is required to obtain both the cardinality of the group of 
points of an elliptic curve over a finite field, and to find an 
elliptic curve for which this cardinality satisfies the security 
requirements, this computation need not be performed by 
participants — which would be very burdensome — as the 
computation is performed once by the central facility. 

Conventional elliptic curve cryptosystems are used in the 
same applications as public key cryptosystems, such as 
authentication, certification, encryption/decryption, signa- 
ture generation and verification. 

As shown in FIG. 2, to use the conventional elliptic curve 
cryptosystem, two parties wishing to communicate 
exchange their cryptographic data, and then proceed with 
their communication, such as a signature scheme or a data 
encryption/decryption scheme. Advantageously, the number 
of bits exchanged during communication setup between 
parties is small. 

A serious problem with the above-described conventional 
elliptic curve cryptosystem is that all participants are vul- 
nerable to an attack on the centrally selected elliptic curve 
and finite field. That is, the system is vulnerable to a 
concentrated attack on the Discrete Logarithm problem in 
the group defined by the centrally selected elliptic curve and 
finite field. 

Due to the desire that the cryptographic functionality be 
implementable in a small, inexpensive, low power device, it 
is considered impractical for each participant to choose its 
own elliptic curve. More particularly, allowing each partici- 
pant to choose its own elliptic curve improves system 
security but results in a complicated system setup phase. 

In conventional elliptic curve cryptosystems, the number 
of bits exchanged between parties during communication 
set-up is small, typically representing the parties' identities 
and the parts of their public keys that differ, i.e., not the 
curve and field shared by all parties. If each participant 
chose its own elliptic curve, another disadvantage would be 
that more data would have to be exchanged during commu- 
nication set-up, specifically, the complete public keys 
including curves and fields would have to be exchanged 
during communication setup. 

In view of these issues, there is a need to reduce the 
vulnerability to attack of elliptic curve cryptosystems. 

SUMMARY OF THE INVENTION 
In accordance with an aspect of this invention, there is 
provided a method of establishing a cryptographic system 
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among participants, comprising the steps of: selecting a 
curve E from a predetermined set of elliptic curves, selecting 
a finite field, selecting a secret key, and obtaining a public 
key, wherein the steps of selecting a curve E, a finite field, 
S a secret key and obtaining a public key are performed locally 
by each of the participants. 

In an embodiment of the present invention, the predeter- 
mined set of elliptic curves are expressed as Weierstrap 
model equations, specifically: 

10 

yW-270*-1512; 

15 

y 2 -* 5 -9504jc-365904; 

y 2 -jr 3 -13760x*-621264; 
7 2 -x 3 -n792Ox+l5585808; 

and 

y 2 *e 5 -3479072Qr+78984748304. 

25 

In an embodiment of the present invention, the step of 
obtaining a public key includes selecting a bitstring s having 
a predetermined length based on security considerations, 
and obtaining a prime number p based on the selected 
30 bitstring s and a unique bitstring ID of the respective 
participant. 

In accordance with an aspect of this invention, there is 
provided a method of reconstructing a public key for a 
participant in a cryptographic system, comprising the steps 

35 of forming intermediate integers a and b based on the 
participant's ID, obtaining a prime number p as a function 
of the intermediate integers a and b, selecting a curve E from 
a predetermined set of elliptic curves, picking a point Q on 
the selected curve based on the participant's ID, and con- 

4{) structing the public key from the prime number p, the 
selected curve E and the point Q. 

In an embodiment of the present invention, the predeter- 
mined set of elliptic curves are expressed as Weierstrap 
model equations. 

45 It is not intended that the invention be summarized here 
in its entirety. Rather, further features, aspects and advan- 
tages of the invention are set forth in or are apparent from 
the following description and drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

50 

FIG. 1 is a flowchart of setup of a prior art cryptosystem; 
FIG. 2 is a flowchart of operation of a prior art crypto- 
system; 

FIG. 3 is a flowchart of setup of a cryptosystem according 
55 to the present invention; 

FIG. 4 is a flowchart of operation of a cryptosystem 
according to the present invention; 

FIG. 5 shows a flow chart for Participant Setup; 
60 FIG. 6 shows a flow chart for checking conditions on the 
pair of intermediate integers a and b; 

FIG. 7 shows a flow chart for checking whether the 
intermediate integers a and b satisfy the condition for 
discriminant -3; 
65 FIG. 8 shows a flow chart for checking whether the 
intermediate integers a and b satisfy the condition for 
discriminant -8; 
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FIG. 9 shows a flow chart for checking whether the The following equations are a predetermined set of Weier- 

intermediate integers a and b satisfy the condition for strap models from which each participant chooses its own 

discriminant -d, d being one of (7, 11, 19, 43, 67, 163); elliptic curve equation: 

FIG. 10 shows a flow chart for checking whether the point 

condition is satisfied for ID, s, e, p, q and E; 5 r- 

FIGS. 11 A and 11B are a flowchart of a public key y 2 -x*-nox-i5n 
reconstruction according to an embodiment of the present 

invention; and y**j?-3Sx-98 

FIGS. 12A-12D are examples of public keys constructed yW-9504^-365904 
according to the present invention. 

DETAILED DESCRIPTION OF THE yV-eota+sm 

PREFERRED EMBODIMENTS y 2 ^-i3760x + 62i264 

The present invention relates to elliptic curve cryptosys- ^ y 2- x 3 -in920x+iS585808 
tems in which each participant chooses its own elliptic 

curve, from a predetermined set of elliptic curve equations, y 2 =* 3 -34790720x+78984748304 
and also chooses its own finite field. A central facility is not 

utilized for curve and field selection. When a prime number p is appropriately chosen by a 
Because each participant chooses its own field, although 2Q participant, as described below, then at least one of the 
only a small number of elliptic curve equations are available, predetermined set of WeierstraP model equations defines a 
a large number of elliptic curves are possible, thus, the non-supersingular elliptic curve E over the field F(p) con- 
security of the cryptosystem is high. More particularly, an taining p elements such that the cardinality of the group of 
attacker must compromise each participant's curve, one at a points of E over F(p) contains a prime divisor q that is of the 
time, which advantageously isolates the security of a par- 2$ same order of magnitude as p. Furthermore, p and q are 
ticipant from the security of the other participants. chosen such that q does not divide p m -\ for any positive 
Since the predetermined set of elliptic curve equations is integer m with m*(ln(mnn(p))) 2 ^0.02*(ln(p))^ If p is 
small, and is chosen to increase the simplicity of the group sufficiently large, then this curve E is not susceptible to small 
cardinality computation, the system setup is sufficiently subgroup which would apply if the cardinality 

straightforward to be useful. 30 would QOt have a large P™^ ^ ™ * sub ^?° nenU ?} 

* . , - . , , time attacks based on the Weil or Tate painngs, which would 

Another advantage of the present system is that a parte- fof ^ m ^ 

pant can change Us curve from time to time, independently ^ ^ b the ^ {Q x 1} of 

of changes made by other participants. ^ ^Jg^ ^ ducs mo Lo p. 

In one embodiment of the present invention a parte- fa ^ ^ & choQses em ^ ^ £ Qver 

pant's public key includes identifying information which 35 &M ^ ^ cardina]it of ^ of pointsof 

previously was sent but was not considered part of the ^ ^ ^ a ^ fa of ^ game 0fder of 

cryptographic information. Since the identifying informa- m nitude aspj andsuch mat q does not divide p^-1 for any 

tion need not be separately sent, overall message overhead ^ ^ m ^ m * (ln(m *i n(p))) 2s 0 .02*(ln(p)) 2 . 

is reduced, which needs to be considered when comparing ^ des sufficient l0 tect inst lne Tate 

the overhead of the present cryptosystem with other cryp- 40 ^.^ ^ ^ {q ^ ^ 

tosystems. ... pairing. The group cardinality is seen to be needed to 

Another advantage of embedding the identifying infor- prov ide sufficient security, 

mation in the public key is that if an attacker misses the The dliptic CUfVe E defines ^ integer d that depends on 

transmission with the public key, and obtains only subse- ^ equatioQ satisfied by E, according to Table 1. In Table 1, 

quent transmissions, the security of the subsequent trans- d ^ such tfaat _ d equals the discriminant A 0 f the endomor- 

missions is enhanced. phism ring of E> wnicn ^ ^fai [ n pro ving properties of 

FIG. 3 illustrates an elliptic curve cryptosystem according interest in the present invention, 
to the present invention. As shown in FIG. 3, no functions 
are performed by the central facility, that is, a central facility 
is not needed, except for certification. Each participant 
chooses a curve and a finite field. Subsequently, each par- 
ticipant performs functions corresponding to those in the 
conventional system depicted in FIG. 1, namely, selecting a 
secret key, computing a corresponding public key and 
obtaining certification for its public key. 

In operation, an elliptic curve cryptosystem according to 
the present invention functions as shown in FIG. 4. Parties 
wishing to communicate exchange cryptographic data, 

reconstruct each other's public key data, and then use the 6Q 

reconstructed keys in cryptographic protocols, such as a since lhere are eight cnoices for lhe va i ue of dj the choice 

signature scheme or data encryption/decryption scheme. of d can be spec ifi ed by a three bit number. Specifically, 

Elliptic curves suitable for the present invention can be mree bits represent numbers {0, 1, ... , 7} which correspond 

expressed as a Weierstraf5 model, which has only two to tn e eight choices listed in Table 1. 

parameters, u and v, and is expressed as an equation of the 65 Furthermore, prime number p and elliptic curve E define 

form a pair of intermediate integers a and b, depending on the 

/-rW+v equation satisfied by elliptic curve E, according to Table 2. 



50 



55 



TABLE 1 


curve 


d 


y 2 « x 3 + 0 x + 16 


3 


y 2 -x J - 270 x- 1512 


8 


y 2 » x 3 - 35 x - 98 


7 


y 2 - x 3 - 9504 x - 365904 


11 


y 2 - X 3 - 608 X + 5776 


19 


y 2 -x 3 - 13760 x + 621264 


43 


f = x 3 - 117920 x + 15585808 


67 


f m x 3 - 34790720 x + 78984748304 


163 
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TABLE 2 



curve 


constraints on integers a, b 


y 2 «x 3 + 0x+ 16 


pel mod 3 




a b 1 mod 3 




b b 0 mod 3 




a 3 * ^ - 4p 


y 2 - x 3 - 270 x - 1512 


if p h 3 mod 16, then a a 1 mod 4 




if p = 1 1 mod 1 6, then a o 3 mod 4 




a 3 + 2b 2 - p 


all others 


ami 




a 3 + db 2 = 4p 



Given prime number p and intermediate integer a, the 
cardinality |E(F(p))| of the group of points E(F(p)) of elliptic 
curve E over field F(p) is a simple closed formula as given 
in Table 3 where j(a,d)=l when 2a is a square modulo d and 
j(a,d)=-l when 2a is not a square modulo d, with d corre- 
sponding to the curve in Table 1. Thus, the software and 
runtime needed by each participant to count group cardi- 
nalities is straightforward enough for the present cryptosys- 



tern to be feasible. 




TABLE 3 




curve group cardinality 


f - x 3 + 0 x + 16 |E(F(p)) 
f - x 3 - 270 x - 1512 |E(F(p)) 
f = x 3 - 9504 x - 365904 E(F(p)) 
all others |E(F(p)) 


- p + a + 1 

- p - 2a + 1 

- p + j(a,H)" a + 1 
a p - j(a,d)* a + 1 


Because of the simplicity of the formulas for the cardi- 
nality |E(F(p))| in Table 3, no complicated software or 
lengthy runtimes are required to generate a proper finite field 
and elliptic curve. When elliptic curve E satisfies any of the 
first three equations of the predetermined set of Weierstrap 
model equations, then the group cardinality always has a 
non- trivial divisor c, as specified in Table 4. 


TABLE 4 




curve 


fixed divisor c 


y 2 = x 3 + 0 x + 16 
y 2 = x 3 - 270 x - 1512 
y 2 = x 3 - 35 x - 98 
all others 


9 
2 
8 
1 



The prime number p and elliptic curve E are selected so 
that the cardinality |E(F(p))| is given by a simple closed 
formula, |E(F(p))|/c=(f*q), with positive integer f^32, q 
prime. This selection makes the Discrete Logarithm problem 
in E(F(p)) sufficiently difficult to provide adequate security, 
when prime number p is chosen to be sufficiently large. 

Let (x) denote scalar multiplication in E(F(p)), that is, for 
a positive integer k and x e E(F(p)), k(x) xeE(F(p)) denotes 
the k-term sum x©x© . . . ©x, where © denotes the group 
operation in E(F(p)). If k is negative, k©xeE(F(p)) is 
defined as the negation -(|k|(x)>0eE(F(p)) of the point 
|k|(x)x. If k is equal to zero, k®x is the identity O in 
E(F(p)). 

Given prime numbers p and q and elliptic curve E, a point 
Q in E(F(p)) of order q can be found by looking for a random 
point P in E(F(p)) such that Q=(c*f)®P in E(F(p)) has 
order q. For d=3, 0(3*f>® P instead of (9*Q©P because 
the order 9 subgroup is not cyclic. The point Q has order q 
in E(F(p)) if OO; if Q=0, then it is necessary to select a 
different random point P in E(F(p)) and try again. 
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After p, E, q and Q are selected, the public and private key 
is determined as follows. First, randomly select a positive 
integer m<q, with m being the private key, also referred to 
as the secret key. Next, compute the point 

5 G=(m®Q)eE(F(p)). The public key consists of the five- 
tuple (p, E, q, Q, G), and the secret key is the integer m. 

An important aspect of the present invention is how to 
find prime numbers p, q, elliptic curve E and point Q having 
the desirable properties presented above. Typically, one 

10 would expect to let intermediate integers a and b be defined 
by prime number p, but in one embodiment of the present 
invention, the pair of intermediate integers a and b is used 
to define prime number p. As discussed in detail below, each 
participant randomly selects a bitstring s having a number of 

15 bits equal to security parameter B. The randomly selected 
bitstring s is concatenated with the participant's unique 
bitstring ID to form a concatenated bitstring (ID||s) which is 
then mapped by mapping functions to ultimately obtain 
intermediate integers a, b, which satisfy not only the con- 

20 ditions in one of the rows of Table 2, thereby determining the 
value of integer d, but also the security requirements set 
forth above. After values are obtained for (ID, s, b, d), it is 
straightforward to obtain a portion of the public key (p, E, 
q, Q), and then the entire public key. 

25 Determination of prime numbers p, q, elliptic curve E and 
point Q by each participant will now be discussed. 

Let it be assumed that each participant in the system has 
a unique bitstring ID that identifies that participant and that 
is recognized by all other participants in the system. In some 

30 embodiments, the bitstring ID includes an encoding of 
descriptive data for the participant, such as name, date of 
birth, address, social security number, bank account number, 
personnel number, system specific login name and so on. 
Let B be an integer valued security parameter. A useful 

35 value for B is in the range from 85 to 150, with lower values 
indicating minimally acceptable security and higher values 
indicating high security. The value for security parameter B 
is known system -wide. 

Let Bs and Bb be two other integer valued security 

40 parameters, for example, Bs«30 and Bb«16. The values for 
Bs and Bb may be independently selected by each partici- 
pant. 

Let Rl and R2 be two different mapping functions that 
map strings of arbitrary length to B-bit positive integers, and 

45 let R3 be a mapping function that maps strings of arbitrary 
length to (2B)-bit positive integers. Mapping functions Rl, 
R2, R3 can be defined using, for example, hash functions. 
Mapping functions Rl, R2, R3 are known system-wide. If 
the devices to which mapping functions Rl, R2, R3 are 

50 known are tamperproof devices, then the functions Rl, R2, 
R3 can be considered confidential. An attacker without a 
cryptosystem device therefore cannot obtain (p, E, q, Q) 
even if given (ID, s, bl) as resulting from the participant 
setup procedure set forth in FIG. 5, which enhances security. 

55 An attacker with a cryptosystem device may be able to 
compute (p, E, q, Q), but will have difficulty extracting these 
values from a tamperproof device. 

FIG. 5 shows a flow chart for Participant Setup. FIG. 5 
depicts how a participant obtains part of its public key, 

60 namely (p, E, q, 0). The remaining part, G, is obtained as 
above, namely, G =(m ®Q) eE E(F(p)). 

At step 505, the value for security parameter B and 
mapping functions Rl, R2, R3 are obtained. At step 510, the 
participant's cryptosystem selects values for security param- 

65 eters Bs and Bb. At step 515, the participant's cryptosystem 
randomly selects a bitstring s having Bs bits. At step 520, the 
participant's cryptosystem applies the mapping functions Rl 
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and R2 to the concatenation of its identity ID and the 
bitslring s to obtain two positive B-bit integers a-Rl(ID||s) 
and b0=R2(ID||s), and also initializes an integer bl, bl=0. 
Let b=b0+bl. At step 525, the participant's cryptosystem 
checks if conditions on a and b are satisfied, as set forth in 
FIG. 6. At step 530, the participant's cryptosystem deter- 
mines whether the result of the check is that conditions are 
satisfied. If so, at step 535, the cryptosystem outputs the 
values s, bl, p, E, q and Q and terminates. If not, at step 545, 
the participant's cryptosystem increments bl, and, at step 
550, checks whether the incremented bl is too big, that is, 
bl!2^. 

If the incremented bl is appropriately small, then the 
participant's cryptosystem returns to step 525 to recompute 
b as bO+bl and to check conditions on a and b. If the 
incremented bl is too big, then the participant's cryptosys- 
tem returns to step 515 to select a new bitstring s. Because 
of the Prime Number Theorem, the procedure in FIG. 5 must 
terminate. Practically, the procedure of FIG. 5 requires at 
most a few minutes runtime on readily available micropro- 
cessors such as an Intel Pentium. 

FIG. 6 shows a flow chart for checking conditions on the 
pair of intermediate integers a and b. 

At step 605, the participant's cryptosystem checks 
whether the intermediate integers a and b satisfy the condi- 
tion for discriminant -3, as set forth in FIG. 7. At step 610, 
the result of the check in step 605 is evaluated. If the 
conditions for discriminant -3 are satisfied, then at step 615, 
the procedure terminates with a positive result. 

If the conditions for discriminant -3 are not satisfied, then 
at step 620, the participant's cryptosystem checks whether 
the intermediate integers a and b satisfy the condition for 
discriminant -8, as set forth in FIG. 8. At step 625, the result 
of the check in step 620 is evaluated. If the conditions for 
discriminant -8 are satisfied, then at step 615, the procedure 
terminates with a positive result. 

If the conditions for discriminant -8 are not satisfied, then 
at step 630, the participant's cryptosystem initializes the set 
D as {7, 11, 19, 43, 67, 163} and initializes the integer d as 
d-7, which is seen to be the first element in the set D. At step 
635, the participant's cryptosystem checks whether the 
intermediate integers a and b satisfy the condition for 
discriminant -d, as set forth in FIG. 9. At step 640, the result 
of the check in step 635 is evaluated. If the conditions for 
discriminant -d are satisfied, then at step 615, the procedure 
terminates with a positive result. 

If the conditions for discriminant -d are not satisfied, then 
at step 645, the participant's cryptosystem removes d from 
D, and at step 650, checks whether there are any values 
remaining in the set D. If there are values remaining, at step 
655, the cryptosystem sets d to a value remaining in the set 
D, and returns to step 635. 

If the set D is empty, then at step 660, the cryptosystem 
terminates with a negative result, namely, the intermediate 
integers a and b do not satisfy the conditions required for the 
present invention. 

FIG. 7 shows a flow chart for checking whether the 
intermediate integers a and b satisfy the condition for 
discriminant -3. 

At step 705, the participant's cryptosystem checks 
whether the conditions set forth in the first case of Table 2 
are satisfied, namely, if a=l mod 3, b=0 mod 3, a 2 +3b 2 is 
divisible by 4, and if the quotient p=(a 2 +3b 2 )/4 has remain- 
der 1 upon division by 3. If any of these conditions are not 
satisfied, then at step 710, the procedure returns with a 
negative result. 

If the aforementioned conditions of Table 2 are satisfied, 
then at step 715, the cryptosystem checks if the remainder of 
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p upon division by 4 is 3, and if p is a prime number. If any 
of these conditions are not satisfied, then at step 710, the 
procedure returns with a negative result. The primality of p 
is tested using a probabilistic compositeness test wherein if 
p can be proved to be composite, then p is not prime, and if 
the proof of compositeness for p fails, then p is assumed to 
be prime. 

If the aforementioned conditions are satisfied, then at step 
720, the cryptosystem checks if (p+a+l)/9«f*q, for a posi- 
tive integer f=32 and a prime number q. If any of these 
conditions are not satisfied, then at step 710, the procedure 
returns with a negative result. 

If the aforementioned conditions are satisfied, then at step 
725, the cryptosystem checks whether the point condition, as 
set forth in FIG. 10, is satisfied for ID, s, with s, e=3*f, p, 
q and E given by y^^+x+ie, the first of the elliptic curve 
equations set forth above. 

At step 730, the cryptosystem evaluates the result of the 
check in step 725. If the result is negative, then at step 710, 
the procedure returns with a negative result. 

If the result is positive, then at step 735, the procedure 
returns the result that the conditions for discriminant -3 are 
satisfied, with p, E, q, Q, being as returned by the point 
condition procedure of FIG. 10. 

FIG. 8 shows a flow chart for checking whether the 
intermediate integers a and b satisfy the condition for 
discriminant -8. 

At step 805, the participant's cryptosystem obtains p=a 2 + 
2b 2 and checks whether the conditions set forth in the second 
case of Table 2 are satisfied, namely, if, when p=3 mod 16, 
then a»l mod 4, and if, when p-11 mod 16, then a-3 mod 
4. If any of these conditions are not satisfied, then at step 
810, the procedure returns with a negative result. 

If the aforementioned conditions of Table 2 are satisfied, 
then at step 815, the cryptosystem checks if the remainder of 
p upon division by 4 is 3, and if p is a prime number. If any 
of these conditions are not satisfied, then at step 810, the 
procedure returns with a negative result. 

If the aforementioned conditions are satisfied, theo at step 
820, the cryptosystem checks if (p-2a+l)/2-f*q, for a 
positive integer f^32 and a prime number q. If any of these 
conditions are not satisfied, then at step 810, the procedure 
returns with a negative result. 

If the aforementioned conditions are satisfied, then at step 
825, the cryptosystem checks whether the point condition, as 
set forth in FIG. 10, is satisfied for ID, s, with s, e=2*f, p, 
q and E given by y 2 «x 3 -270x-1512, the second of the 
elliptic curve equations set forth above. 

At step 830, the cryptosystem evaluates the result of the 
check in step 825. If the result is negative, then at step 810, 
the procedure returns with a negative result. 

If the result is positive, then at step 835, the procedure 
returns the result that the conditions for discriminant -8 are 
satisfied, with p, E, q, Q, being as returned by the point 
condition procedure of FIG. 10. 

FIG. 9 shows a flow chart for checking whether the 
intermediate integers a and b satisfy the condition for 
discriminant -d, d being one of (7, 11, 19, 43, 67, 163). 

At step 905, the participant's cryptosystem checks 
whether the conditions set forth in the third case of Table 2 
are satisfied, namely, if a*l and if a 2 +db 2 =4p for an integer 
p. If any of these conditions are not satisfied, then at step 
910, the procedure returns with a negative result. 

If the aforementioned conditions of Table 2 are satisfied, 
then at step 915, the cryptosystem checks if the remainder of 
p upon division by 4 is 3, and if p is a prime number. If any 
of these conditions are not satisfied, then at step 910, the 
procedure returns with a negative result. 
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If the aforementioned conditions are satisfied, then at step Let L(x) denote the binary length of a non-negative 

920, the cryptosystem checks if (p+j(a,ll)*a+l)/c-f*q if integer x, that is, the number of bits required for a binary 

d=ll and if(p-j(a,d)*a+l)/c=f*q otherwise, where j(a, d)=l representation of x. 

when 2a is a square modulo d and j(a,d)=-l when 2a is not Using the Weierstrap model, y 0 (X) and y : (X) for any X 

a square modulo d, for a positive integer f^32 and a prime 5 can be found with a square root computation in F(p), such 

number q, with c=8 for the case of d=7, and c=l for all other that (yXX^o^+uX+v, for M, 2. When p=3 mod 4, the 

cases. If any of these conditions are not satisfied, then at step square root of a square r in F(p) can be found quickly as 

910, the procedure returns with a negative result. r i/2 sr o~i)/4^ wn j cn a n ows reduction of the 2L(p) bits 

If the aforementioned conditions are satisfied, then at step required to describe a point on the curve to 1+L(p) bits by 

925, the cryptosystem checks whether the point condition, as specifying the X-coordinate and a single bit indicating y 0 (X) 

set forth in FIG. 10, is satisfied for ID, s, with s, e=2*f, p, or y t {X)- 

q and E given by the third through eighth of the elliptic curve Public key size will now be discussed. The public key for 

equations set forth above, based on the value for d. a participant consists of (p, E, q, Q, G). Reconstruction of a 

At step 930, the cryptosystem evaluates the result of the public key requires only (ID, s, bl, d, G). The length of ID 

check in step 925. If the result is negative, then at step 910, may be any number of bits, as selected by a participant; this 

the procedure returns with a negative result. 35 information is required to communicate with the participant, 

If the result is positive, then at step 935, the procedure under any scheme, and so should not be counted in the size 

returns the result that the conditions for the appropriate one of the participant's public key. The bit lengths of s and bl are 

of the selected discriminants are satisfied, with p, E, q, being Bs and Bb, respectively, as selected in step 510 of FIG. 5, 

as returned by the point condition procedure of FIG. 10. and may be, for example, Bs=30 and Bb=16. There are eight 

FIG. 10 shows a flow chart for checking whether the point 20 choices for d, so three bits are required to represent d. The 

condition is satisfied for ID, s, number of bits required for G is L(p)+1. The prime p 

e, p, q and E, where E is specified by the elliptic curve obtained in the participant setup procedure described above 

equation y 2 =x 3 +ux+v. has a length L(p) close to 2*B, with B being the integer 

At step 1005, the participant's cryptosystem tries to find valued security parameter introduced above. Thus, the 

a positive integer m such that two constraints are satisfied: 25 amount of information from which a public key of a party of 

first, that m*Gn(m*ln(p))) 2 iO.Q2*(ln(p)) 2 and second, that known ID can be derived is 30+16+3+L(p)+l-50+L(p) bits, 

q divides p m -l. Specifically, the cryptosystem checks if q When the present cryptosystem is used with certification, 

divides p m -l for m-1, 2, ... in succession until m*(ln(m*ln the message to be certified has a length of L(ID)+50 +L(p) 

(p))) 2 >0.02*(ln(p)) 2 . If an m satisfying these two constraints bits, which is relatively short in comparison with conven- 

is found, then the point condition is not satisfied, and the 30 tional cryptosystems. As an illustration, the length of the 

procedure returns at step 1010 with a negative result. public key (p, E, q, Q, G), if represented conventionally and 

If no such m is found, then at step 1015, the cryptosystem as created by a conventional central authority, would be 

obtains x=R3(ID||s) mod p and checks whether r«x 3 +ux+v is expected to be L(p)+L(E)+L(q)+L(Q)+L(G)=L(p)+(2*L 

a square in F(p), with u and v being the parameters of the (p))+(at least L(p)/2)+(L(p)+l)+(L(p)+l)=at least 5.5*L 

elliptic curve equations set forth above. If r, as defined, is not 35 (p)+2 bits. If this conventional representation were used, the 

a square in F(p), then the point condition is not satisfied, and cryptographic overhead information would have a length of 

the procedure returns at step 1010 with a negative result. at least L(ID)+5.5*L(p)+2 bits. It can readily be seen that the 

If r, as defined, is a square in F(p), then at step 1020, the reduction in cryptographic information length is the differ- 

cryptosystem obtains one of the square roots of r as y-r^ ence between the length in a conventional scheme and the 

iy 4 mod p in F(p), forms the point P=(x, y) in E(F(p)) and 40 length in the present cryptosystem, (at least L(ID)+5.5*L 

multiplies P by the scalar value e in the group E(F(p)) to (p)+2)-(L(ID)+50+L(p))-at least 4.5*L(p)-48 bits, 

produce the point Q=e® P in E(F(p)). Typically, the prime p has a length of around 170 bits, 

At step 1025, the cryptosystem checks whether the point although this could be another value, for a savings of 717 

Q does not have order q in E(F(p)), that is, whether Q is bits. 

equal to the identity element O in E(F(p)). If the order of Q 45 The reduced bit length attained by the present invention is 

is not equal to q, then the point condition is not satisfied, and advantageous in at least transmission, that is, more efficient 

the procedure returns at step 1010 with a negative result. use of bandwidth since less bandwidth is needed for cryp- 

If the point Q has order q in E(F(p)), then the point tograp hie overhead, and storage, since reconstruction is very 

condition is satisfied and the procedure returns at step 1030 easy, as shown below. 

with a positive result. 50 In the conventional scheme, where a central authority 

An important aspect of the present invention is that, given creates the (p, E, q, Q) portion of a participant's public key, 

B, Rl, R2, R3, ID, s, bl and d, any participant can recon- the length of the message to be certified is L(ID)+L(p)+1. In 

struct (p, E, q, Q). A public key reconstruction procedure is the present cryptosystem, the length of the message to be 

presented below. Since B, Rl, R2, R3, are known to all certified is L(ID)+L(p)+50,which is only 49 bits more, yet 

participants, it is only necessary to obtain the values (ID, s, 55 achieves much higher security. 

bl, d) to construct the (p, E, q, Q) portion of another There can be redundancy in s and bl, to make creation of 

participant's public key. It will be appreciated that commu- fraudulent public key and ID pairs more difficult, 

nication with a participant requires identifying information An embodiment of a procedure for public key reconstruc- 

ID even without the present cryptosystem. tion is set forth in FIGS. 11 A and 11 B, which are referred to 

The remaining portion of the public key, G in E(F(p)), 60 collectively as FIG. 11. The procedure depicted in FIG. 11 

must be sent to any participant wishing to communicate with ' demonstrates that, given a participant's identifying informa- 

the participant using G. Specifying the x-coordinate of G tion ID and the values s, bl and d, E corresponding to d 

reduces the possibilities for the y-coordinate of G down to according to Table 1, and given B, Rl, R2, R3, it is very easy 

two: a larger number and a smaller number. Thus, it will be to construct the participant's (p, E, q, Q) values, 

appreciated that, to represent G, it is necessary to send only 65 At step 1105, the value B and the functions Rl, R2, R3 are 

the x-coordinate of G and a single bit indicating the larger obtained. At step 1110, the value a is obtained as a=Rl(lD||s) 

or smaller y-coordinate. and the value b is obtained as b-R2(ID||s)+bl. 
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At step 1115, the conditions on a and b are checked; as 
before, the specific conditions depend on the value of d. 
While checking conditions as in steps 705, 805 or 905, as 
described in step 1115, p is computed as in steps 705, 805 or 
905, respectively. 

If the result of the condition check at step 1115 is negative, 
then at step 1120, the public key reconstruction procedure 
fails. 

If the result of the condition check at step 1115 is positive, 
then at step 1125 it is determined whether a thorough 
correctness check is required. If not, then the cryptosystem 
advances to step 1135. If a thorough correctness check is 
required, then at step 1130, the cryptosystem checks whether 
p is a prime number with remainder equal to 3 upon division 
by 4 using, for example, a probabilistic compositeness test. 
A thorough correctness check may be carried out by the 
party that creates a certificate for the public key: before 
certifying user dependent information (ID, s, bl, G) needed 
to reconstruct the public key, the certifying party performs 
the Public Key Reconstructions with a Thorough Correct- 
ness check. If, and only if, the public key can be recon- 
structed correctly and passes all thorough correctness tests, 
does the certifying party provide the desired certificate. 
Other parties that receive the certified user dependent infor- 
mation (ID, s, bl, G) need not test p and q for primality 
because of their correctness certification. If the check at step 
1130 is negative, then at step 1120, the public key recon- 
struction procedure fails. 

At step 1135, depending on the value of d, values are 
assigned to c and t. At step 1140, the cryptosystem deter- 
mines the largest positive integer f ^32 such that c*f divides 
(p-t*a+l), and q is obtained as q=(p-t*a+l)/(c*f). 

At step 1145, it is again determined whether a thorough 
correctness check is required using the same criteria as in 
step 1125. If not, then the cryptosystem advances to step 
1155, If a thorough correctness check is required, then at 
step 1147 it is checked that there is no integer m such that 
m*(ln(m*ln(p))) 2 ^0.02 *(ln(p)) 2 and such that q divides 
p m -l. If the test at step 1147 fails, then at step 1120, the 
public key reconstruction procedure fails. If the test at step 
1147 is positive, then at step 1150, the primality of q is 
checked. If the check at step 1150 is negative, then at step 
1120, the public key reconstruction procedure fails. 

At step 1155, the proper one of the elliptic curves E is 
selected based on the value for d, in accordance with Table 
1. The value x is obtained as R3(ID||s) mod p, the value y is 
obtained as (x 3 +ux+v) Cp+J)/4 in F(p), and P is set to (x, y). 

At step 1157, it is determined whether d=3, and if so, then 
c is replaced by 3, because the order 9 subgroup is not cyclic 
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the cryptosystem advances to step 1170. If R is not the 
identity element, then at step 1120 the public key recon- 
struction procedure fails. If R is the identity element, then at 
step 1170, the values (p, E, q, Q) are output and the public 
key reconstruction procedure is terminated. 

The only steps in the public key reconstruction procedure 
which require any substantial computation are the primality 
checks and the check whether R is the identity element O. 
Exclusive of these checks, the public key reconstruction 
procedure takes only milliseconds to execute on a 
conventional, widely available processor such as an Intel 
Pentium. 

Examples of public keys generated according to the 
above-described method will now be discussed. 

FIGS. 12A-12D provide respective sets of values for 
public keys (p, E, q, Q). In these examples, for the partici- 
pant's ID, the binary (base 2) bitstring having decimal (base 
10) representation 11223344556677889900 was arbitarity 
used, security parameters Bs=30 and Bb»8 were used, and 
the following mapping functions were used: 

Rl{x}m^vaod2 a 
J R2(jt)=(reversc(x)) a mod2 fl 

The bitstring x is in binary (base 2), for example "11001" 
corresponding to a decimal (base 10) value of "25". The 
function "reverse (x)" reverses the order of bits in a bitstring, 
for example, reverse (11001)=10011. The operator "||" 
denotes concatenation of bitstrings, for example (10011 || 
11001)=1001111001. The examples in FIGS. 12A and 12B 
illustrate security parameter B-85, that is, a relatively low 
value, while the examples in FIGS. 12C and 12D illustrate 
security parameter B-150, that is, a relatively high value. 
Bitstring s is a different randomly chosen value in each 
example. All public keys (p, E, q, Q) were successfully 
reconstructed using the same mapping functions Rl, R2, R3, 
participant's ID and the bitstring s and parameter bl values 
set forth in the respective examples of FIGS. 12A-12D. 

Once keys have been initialized in accordance with the 
present invention, the keys can be used in combination with 
any elliptic curve cryptosystem. In most conventional ellip- 
tic curve cryptosystems, a substantial portion of the runtime 
is devoted to computation of k(x) Q for a randomly selected 
k. In many implementations, this computation can be made 
faster if, for instance, the x-coordinate of Q has some known 
fixed value such as zero. If c-1, this is ensured by requiring 
that R3 yields zero. Also, if ol, it may be required that R3 
yields zero if d is other than 3, and compute 



At step 1158 it is determined whether a Thorough Cor- 50 (k*c)©P=k©Q, which leads to a considerable speed 



rectness check is required, using the same criteria as in step 
1125. If not, the cryptosystem advances to step 1160. If a 
Thorough Correctness check is required, then at step 1159, 
values are obtained for r-x 3 +ux+v and s-y 2 and it is checked 
if r=s. If not, then at step 1120, the public key reconstruction 55 
procedure fails. If r-s, then the cryptosystem advances to 
step 1160. At step 1160, the point Q is obtained as (c*f)(x)P 
in E(F(p)). At step 1165, it is checked whether Q is the 
identity element O in E(F(p)); if so, then at step 1120, the 
public key reconstruction procedure fails. 60 

If Q is not the identity element, then at step 1167 it is 
determined whether a Thorough Correctness check is 
required, using the same criteria as in step 1125. If not, then 
the cryptosystem advances to step 1170. If a Thorough 
Correctness check is required, then at step 1168 the point R 65 
in E(F(p)) is obtained as q©Q in E(F(p)) and it is checked 
if R is equal to the identity element O in E(F(p)). If so, then 



improvement. Similarly, for d=3, it may be required that R3 
yields 1, although the saving obtained in this case is much 
smaller. 

Although an illustrative embodiment of the present 
invention, and various modifications thereof, have been 
described in detail herein with reference to the accompany- 
ing drawings, it is to be understood that the invention is not 
limited to this precise embodiment and the described 
modifications, and that various changes and further modi- 
fications may be effected therein by one skilled in the art 
without departing from the scope or spirit of the invention as 
defined in the appended claims. 

What is claimed is: 

1. A method for establishing a cryptographic system 
among participants, comprising: 
selecting a curve E from a predetermined set of elliptic 
curves; 



05/11/2004, EAST Version: 1.4.1 



US 6,446,205 Bl 



13 



14 



selecting a finite field; 
selecting a secret key; and 
obtaining a public key, 

wherein the selecting of the curve E, the selecting of the 
finite field, the selecting of the secret key, and the 5 
obtaining of the public key are performed locally by 
each of the participants, and 

wherein the predetermined set of elliptic curves arc 
expressed as Weierstrap model equations. 

2. The method of claim 1, wherein the predetermined set io 
of elliptic curves is: 

y I -r 3 -270x-lS12; 

y 2 o X 3 -9504x-365904; 

y 2 =x 3 -13760x+621264; 

y 2 -* 3 - 11 7920x+l 5585808; 20 

and 

y2_jc3_34790720x478984748304. 

3. The method of claim 1, wherein the obtaining of the 
public key further comprises: 

selecting a bitstring s having a predetermined length 

based on a security parameter; 
concatenating a bitstring ID and the bitstring s to form a 

concatenated bitstring, the bitstring ID unique among 

the participants; 
computing an integer a by applying a first function to the 

concatenated bitstring; 
computing an integer b by applying a second function to 

the concatenated bitstring; and 
determining a prime number p based on the integer a and 

the integer b, 

wherein the selecting of the bitstring s, the concatenating, 
the computing of the integer a, the computing of the 
integer b, and the determining of the prime number p 
are performed locally by each of the participants, and 

wherein the integer a and the integer b satisfy security 
requirements and constraints dictated by the choice of 
the curve E. 

4. The method of claim 3, wherein the public key also 
includes a prime number q of the same order of magnitude 
as the prime number p and a point Q of order q on the curve 
E, and wherein the obtaining of the public key further 
comprises: 

determining the point Q using a simple computation. 

5. The method of claim 4, wherein the step of determining 
the point Q includes: 

computing a value x by applying a third function to the 

concatenated bitstring; 
determining a value y based on using the value x in the 

curve E; and 

performing a scalar multiplication on the point (x, y) to 
generate the point Q. 

6. The method of claim 1, wherein the obtaining of the 
public key further comprises: 

selecting an integer a and an integer b; 
obtaining a prime number p as a function of the integer a 

and the integer b; and 
forming the public key from the prime number p and the 

curve E, 

wherein the selecting of the integer a and the integer b, the 
obtaining of the prime number, and the forming of the 
public key are performed locally by each of the 
participants, and 
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wherein the integer a and the integer b are based on a 
bitstring ID unique among the participants, and 

wherein the integer a and the integer b satisfy security 
requirements and constraints dictated by the choice of 
the curve E. 

7. The method of claim 6, wherein the selecting of the 
integer a and the integer b further comprises: 

mapping the bitstring ID to an integer a and an integer b 0 
using mapping functions known to all participants. 

8. The method of claim 7, wherein the selecting of the 
integer a and the integer b further comprises: 

selecting a bitstring s having a predetermined length 

based on a security parameter; and 
concatenating the bitstring ID and the bitstring s to form 

a concatenated bitstring. 

9. The method of claim 7, wherein the selecting of the 
integer a and the integer b further comprises: 

selecting an integer bj so that the integer a and the integer 
b, where b=b 0 +bj, satisfy a set of predetermined con- 
ditions for the prime number p and the curve E. 

10. The method of claim 9, wherein the selecting of the 
integer bj further comprises: 

iteratively evaluating different values for the integer b r 

11. The method of claim 1, wherein the public key 
includes a prime number p which defines a field F(p) such 
that the cardinality of the group of points of the curve E over 
the field F(p) is given by a simple closed formula. 

12. A method of reconstructing a public key for a partici- 
pant in a cryptographic system, comprising: 

forming intermediate integers a and b based on a unique 
ID for the participant; 

obtaining a prime number p as a function of the interme- 
diate integers a and b; 

selecting a curve E from a predetermined set of elliptic 
curves; 

picking a point Q on the curve E based on the unique ID 

for the participant; and 
constructing the public key from the prime number p, the 

curve E, and the point Q. 

13. The method of claim 12, wherein the predetermined 
set of elliptic curves are expressed as Weierstrap model 
equations. 

14. The method of claim 13, wherein the predetermined 
set of elliptic curves is: 

/orN-Ox+16; 
y 2 ^-270x-1512; 
j 2 -;r*-35x-98; 
yW 3 -9504x-365904; 
< y 2 =x 3 -608x+5776; 
yW-1376Qx+621264; 
y 2 -* 3 - 1 17920x+l5585808; 

and 

y 2 «* 3 -34790720x+78984748304. 

15. The method of claim 12, wherein the forming of the 
intermediate integers a and b is also based on bitstrings s and 
b v 

16. The method of claim 12, wherein the selecting of the 
curve E is also in accordance with an integer d. 

17. The method of claim 12, wherein the picking of the 
point Q is also based on a bitstring s. 
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